[gnutls-help] Help allowing SHA1

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Jan 30 10:33:11 CET 2020


I do not think (but please correct me), that this version of ubuntu
you're using has something like a system-wide policy, so it will not
be possible to change the sha1 acceptance system-wide. In that case it
will be more effective to try and change the priority string on the
specific applications you are interested. The newer versions of gnutls
have a more powerful configuration that can be used to implement a
modifiable system-wide policy.

regards,
Nikos

On Mon, Jan 27, 2020 at 5:29 AM Brandon Sawyers <brandor5 at gmail.com> wrote:
>
> Sorry, I should have made it clear before.
>
> I've tried putting the string in both /etc/gnutls/config and /etc/gnutls/default-priorites according to the docs I found but, neither worked.
>
> Thanks,
>
> On Sun, Jan 26, 2020, 17:18 Brandon Sawyers <brandor5 at gmail.com> wrote:
>>
>> Thanks for the help.
>>
>> We are already in the process of updating so of the certs. Thanks for the reminder.
>>
>> Now I just need to figure out how to have the priority strong apply system wide instead of just gnutls-cli.
>>
>> Any tips there?
>>
>> Thanks again,
>> Brandon
>>
>>
>>
>> On Sun, Jan 26, 2020, 16:56 Dimitri John Ledkov <xnox at ubuntu.com> wrote:
>>>
>>> On Thu, 23 Jan 2020 at 12:16, Dimitri John Ledkov <xnox at ubuntu.com> wrote:
>>> >
>>> > On Thu, 23 Jan 2020 at 14:01, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
>>> > >
>>> > > On Wed, Jan 22, 2020 at 3:42 PM Brandon Sawyers <brandor5 at gmail.com> wrote:
>>> > > >
>>> > > > Hello everyone:
>>> > > >
>>> > > > A recent package upgrade in ubuntu 1604 (v3.4.10-4ubuntu1.6) and 1804 (v3.5.18-1ubuntu1.2) has left us without SHA1 support. Since we are still in the process of migrating our last services off of SHA1 with a target date of April this has put us in a pickle.
>>> > > >
>>> > > > From reading the docs I expect I should be able to use priority and allow SHA1 to function, however making this work has been rather frustrating.
>>> > > >
>>> > > > I've tried several different versions of the following command but I would expect just having "NORMAL:+SIGN-RSA-SHA1:+SHA1" priority set should work.
>>> > > >
>>> > > > `gnutls-bin --x509cafile ./cachain-with-sha1-signed-cert.pem --priority='NORMAL:+SIGN-RSA-SHA1:+SHA1' -p 636 internal.directory.org`
>>> > >
>>> > > Have you tried appending %VERIFY_ALLOW_SIGN_WITH_SHA1? The available
>>> > > priority strings are documented in:
>>> > > https://gnutls.org/manual/html_node/Priority-Strings.html
>>> > >
>>> >
>>> > From what I can tell is that the backports do not include that
>>> > flag.... I'm escalating this, as this is regression-security as I do
>>> > not believe that upstream code is affected as this is an issue in the
>>> > patch set released in ubuntu.
>>> >
>>> > I hope to move this discussion downstream to
>>> > https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1860656
>>> >
>>>
>>> To close this out, a further update got published to the affected
>>> releases which adds support to use "%VERIFY_ALLOW_BROKEN" and
>>> "%VERIFY_ALLOW_SIGN_WITH_SHA1" in the priority string option, allowing
>>> one to re-enable obsoleted hashes in certificate signatures.
>>>
>>> But please upgrade your certificates to use SHA256 nonetheless as
>>> progressively more software will start outright reject SHA1
>>> certificates without a way to turn them back on.
>>>
>>> --
>>> Regards,
>>>
>>> Dimitri.
>
> _______________________________________________
> Gnutls-help mailing list
> Gnutls-help at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/gnutls-help



More information about the Gnutls-help mailing list